Jump to content

Cannot get rid of Tango malware


Recommended Posts

I hope I am posting in the correct forum.

My PC is infected with Tango. The system has the following symptoms:

1) Ran Malware bytes - it successfully remove gabpath - do not see in control panel anymore.

2) Malware bytes detected Tango and said that this is removed successfully (see log below). However, Tango is still there in the control panel.

3) Most google search results get redirected to random sites.

Log from last run of Malware bytes is as follows.

Help is greatly appreciated!

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4436

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

16/08/2010 4:17:14 PM

mbam-log-2010-08-16 (16-17-14).txt

Scan type: Full scan (C:\|)

Objects scanned: 351260

Time elapsed: 2 hour(s), 54 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 2

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\resultdns (Adware.ResultDns) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\ResultDns (Adware.ResultDns) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RESULTDNS_SERVICE (Adware.ResultDns) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ResultDns Service (Adware.ResultDns) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.SearchPage) -> Bad: (http://www.tangosearch.com/?useie5=1&q=) Good: (http://www.google.com) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.SearchPage) -> Bad: (http://www.tangosearch.com/?useie5=1&q=) Good: (http://www.google.com) -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\All Users\Application Data\ResultDns (Adware.ResultDns) -> Quarantined and deleted successfully.

C:\Program Files\ResultDns (Adware.ResultDns) -> Quarantined and deleted successfully.

Files Infected:

C:\Documents and Settings\All Users\Application Data\ResultDns\resultdns111.exe (Adware.ResultDns) -> Quarantined and deleted successfully.

C:\Program Files\ResultDns\resultdns.dll (Adware.ResultDNS) -> Quarantined and deleted successfully.

C:\Program Files\ResultDns\resultdns.exe (Adware.ResultDns) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\RES4121.tmp\upgrade.exe (Adware.ResultDNS) -> Quarantined and deleted successfully.

C:\Program Files\ResultDns\uninstall.exe (Adware.ResultDns) -> Quarantined and deleted successfully.

C:\Documents and Settings\jameelc\Local Settings\Application Data\Windows Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.

Link to post
Share on other sites

:) Added hijack this log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:24:46 PM, on 17/08/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Cisco Systems\SSL VPN

Client\agent.exe

C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec

Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\IPSSVC.EXE

C:\Program

Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\Common Files\Apple\Mobile Device

Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Symantec\Backup

Exec\DLO\DLOChangeLogSvcu.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Common Files\Microsoft

Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\TPHDEXLG.EXE

C:\WINDOWS\system32\TpKmpSVC.exe

C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

C:\Program

Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\TpShocks.exe

C:\Program Files\Common Files\Symantec

Shared\ccApp.exe

C:\PROGRA~1\SYMANT~2\VPTray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Sony

Shared\Fsk\SonySCSIHelperService.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program

Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program

Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

C:\Program Files\Microsoft

Office\Office14\OUTLOOK.EXE

C:\Program

Files\Google\Chrome\Application\chrome.exe

C:\Program

Files\Google\Chrome\Application\chrome.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend

Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page = http://www.msn.ca/

O2 - BHO: URLRedirectionBHO -

{B4F3A835-0E21-4959-BA22-42B3008E02FF} -

C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL

O4 - HKLM\..\Run: [synTPEnh] C:\Program

Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [TpShocks] TpShocks.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common

Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray]

C:\PROGRA~1\SYMANT~2\VPTray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: OneNote 2010 Screen Clipper and

Launcher.lnk = C:\Program Files\Microsoft

Office\Office14\ONENOTEM.EXE

O4 - Global Startup: Cisco Systems VPN Client.lnk =

C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://www.update.microsoft.com/microsoftupdate/v6/V

5Controls/en/x86/client/wuweb_site.cab?1229710810015

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}

(MUWebControl Class) -

http://www.update.microsoft.com/microsoftupdate/v6/V

5Controls/en/x86/client/muweb_site.cab?1229710792531

O16 - DPF: {705EC6D4-B138-4079-A307-EF13E40C2416}

(InstallerWeb Control) -

https://vendorvpn.chartercom.com/CACHE/sdesktop/inst

all/binaries/instweb.cab

O17 - HKLM\Software\..\Telephony: DomainName =

sigmasys.net

O17 -

HKLM\System\CCS\Services\Tcpip\..\{E396ABE1-7A28-403

3-84C5-A6D3FF8EB5A4}: Domain = sigmasys.net

O17 -

HKLM\System\CCS\Services\Tcpip\..\{E396ABE1-7A28-403

3-84C5-A6D3FF8EB5A4}: NameServer =

10.0.100.10,10.0.100.11

O17 - HKLM\System\CS1\Services\Tcpip\Parameters:

SearchList = sigmasys.net

O17 - HKLM\System\CCS\Services\Tcpip\Parameters:

SearchList = sigmasys.net

O20 - Winlogon Notify: !SASWinLogon - C:\Program

Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: AwayNotify - C:\Program

Files\Lenovo\AwayTask\AwayNotify.dll

O23 - Service: Ac Profile Manager Service

(AcPrfMgrSvc) - Unknown owner - C:\Program

Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

O23 - Service: Atheros Configuration Service (acs) -

Atheros - C:\WINDOWS\system32\acs.exe

O23 - Service: Access Connections Main Service

(AcSvc) - Lenovo - C:\Program

Files\ThinkPad\ConnectUtilities\AcSvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. -

C:\Program Files\Common Files\Apple\Mobile Device

Support\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies

Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. -

C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) -

Broadcom Corporation. - C:\Program

Files\ThinkPad\Bluetooth Software\bin\btwdins.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) -

Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr)

- Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Cisco Systems, Inc. VPN Service

(CVPND) - Cisco Systems, Inc. - C:\Program

Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Symantec AntiVirus Definition Watcher

(DefWatch) - Symantec Corporation - C:\Program

Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Symantec Backup Exec Desktop Agent

Change Journal Reader (DLOChangeJournalSvc) -

Symantec Corporation - C:\Program

Files\Symantec\Backup Exec\DLO\DLOChangeLogSvcu.exe

O23 - Service: Google Update Service

(gupdate1ca3259ac278da8) (gupdate1ca3259ac278da8) -

Google Inc. - C:\Program

Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) -

Google - C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe

O23 - Service: ThinkPad PM Service (IBMPMSVC) -

Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe

O23 - Service: InstallDriver Table Manager

(IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\1050\Intel

32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. -

C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: IPS Core Service (IPSSVC) - Lenovo

Group Limited - C:\WINDOWS\system32\IPSSVC.EXE

O23 - Service: Java Quick Starter

(JavaQuickStarterService) - Sun Microsystems, Inc. -

C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation -

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LogMeIn Maintenance Service

(LMIMaint) - LogMeIn, Inc. - C:\Program

Files\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program

Files\LogMeIn\x86\LogMeIn.exe

O23 - Service: Active Directory Migration Agent

(OnePointDomainAdminService) - Unknown owner -

C:\Program

Files\OnePointDomainAgent\DCTAgentService.exe (file

missing)

O23 - Service: IBM PSA Access Driver Control

(PsaSrv) - Unknown owner -

C:\WINDOWS\system32\PsaSrv.exe (file missing)

O23 - Service: SAVRoam (SavRoam) - symantec -

C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service

(SNDSrvc) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Sony SCSI Helper Service - Sony

Corporation - C:\Program Files\Common Files\Sony

Shared\Fsk\SonySCSIHelperService.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) -

Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Cisco Systems, Inc. STC Agent

(STCAgent) - Cisco Systems, Inc. - C:\Program

Files\Cisco Systems\SSL VPN Client\agent.exe

O23 - Service: System Update (SUService) - Lenovo

Group Limited - c:\program files\lenovo\system

update\suservice.exe

O23 - Service: Symantec AntiVirus - Symantec

Corporation - C:\Program Files\Symantec

AntiVirus\Rtvscan.exe

O23 - Service: ThinkPad HDD APS Logging Service

(TPHDEXLGSVC) - Lenovo. -

C:\WINDOWS\System32\TPHDEXLG.EXE

O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown

owner - C:\WINDOWS\system32\TpKmpSVC.exe

O23 - Service: TSS Core Service (TSSCoreService) -

IBM - C:\Program Files\Lenovo\Client Security

Solution\tvttcsd.exe

--

End of file - 9091 bytes

Link to post
Share on other sites

Hello jameelch! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

Please follow these instructions and post all logs if you can:

http://forums.malwarebytes.org/index.php?showtopic=9573

Link to post
Share on other sites

  • 1 month later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.